Re: Firewall/Router on same Subnet?

To: debian-firewall@lists.debian.org
Subject: Re: Firewall/Router on same Subnet?
From: "Jeremy T. Bouse" <jbouse@debian.org>
Date: Thu, 31 Jan 2002 09:08:30 -0800
Message-id: <[🔎] 20020131170829.GC12631@UnderGrid.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] LOEIIIGKPBJCPGMCCHNPKENJCDAA.webguru@manlab.com>
References: <[🔎] LOEIIIGKPBJCPGMCCHNPKENJCDAA.webguru@manlab.com>

	If I understand your situation you are using the same IPs for
your internal hosts that your firewall is ARPing for externally? This
would be a difficult situation to work with as the firewall machine
would need quite a bit of extra configuration/routing information to
make this even work... 

	In my case I have a /29 subnet assign'd from my provider... I
have my firewall ARP or IP alias them to it's external interface (eth0)
and then it's internal interface (eth1) is given a private IP address
within 192.168.XXX/24 as are all my other hosts... As my IPs are all
static I use SNAT/DNAT liberally and works fine... And by adding the
POSTROUTING rule to the NAT policy as list'd in the NAT-HOWTO the
internal machines can still access the public services using the
external IPs without a problem...

	Respectfully,
	Jeremy

On Thu, Jan 31, 2002 at 10:11:13AM -0600, Jeremy wrote:
> Here's what you should know:
> =============================
> iptables
> debian 2.4.19
> Firewall Ethernet connection is as follows: eth0 is connected to WAN and
> eth1 is connected to a switch, which is my DMZ. All my other servers are
> connected to that switch)
> 
> My firewall acts as a router, using ROUTE and ARP to pass the packets from
> the firewall to all the other computers on the same subnet. what I realized
> (correct me if I'm wrong) is that routers cannot forward packets across the
> same subnet ( hence why you use ARP ).
> 
> THE PROBLEM
> ==============
> INPUT is FINE
> OUTPUT is FINE
> FORWARD is FOOBAR
> 
> My firewall doesn't like to FORWARD packets back out. everything goes into
> the DMZ but nothing goes out. I cannot whois, lynx etc. subnetting is out of
> the question.
> 
> here is why I think this is so:
> ================================
> you ARP an IP it will send it as MAC address ( layer 2 ) and the router
> can't handle it because it is a layer 3 device.
> 
> WHAT CAN I DO TO FIX THIS PROBLEM? I don't want to change the current
> configuration i.e. NATing or subnetting.
> 
> Much Appreciated for any help.
> 
> Regards,
> Jeremy
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Firewall/Router on same Subnet?
  - From: "Jeremy" <webguru@manlab.com>

Prev by Date: Re: Firewall/Router on same Subnet?
Next by Date: depmod write a error
Previous by thread: Re: Firewall/Router on same Subnet?
Next by thread: depmod write a error
Index(es):
- Date
- Thread